This project is read-only.

MS-CHAP 2 change password

May 26, 2010 at 9:50 PM

Microsoft's remote access documentation says:

"MS-CHAP (version 1 and version 2) is the only authentication protocol provided with the Windows Server 2003 family that supports password change during the authentication process."

I can't for the life of me find (a) this API [if it exists as part of the RAS API] and hence (b) where to look in DotRas to see if it supports this. Anyone have any thoughts on this? 

May 27, 2010 at 1:41 AM
Edited May 27, 2010 at 1:42 AM

Hey Keith,

We actually have a work item already on the site to get this implemented, however since the RasDial API cannot handle changing expired passwords the RasDialer component cannot handle expired passwords during authentication. I did some research into the subject, and created a thread on the MSDN community forums but as of right now nothing has happened. The API indicates it only works with RASPHONE.exe which is what the RasDialDialog uses (I have confirmed it will update expired passwords). However, if you use that component you will have to use a user interface but you will have the support you need.

As of right now, that's all I can do.

- Jeff

May 27, 2010 at 2:13 PM

I see, ok.

I also looked into using MSChapSrvChangePassword directly, but even with native C++ I ran into no end of trouble with the header. (I'm new to Win32 development, so I'm likely missing something, but the compiler complained about the *syntax* in the header file. Grr. I don't see any myself, but ...)

May 28, 2010 at 1:54 AM

You may have found the missing link on how to update the password through RasDial. I'll have to see what I can do with it, I might be able to get it to work. Keep in mind I have no way of knowing if the servers will react how we want them to until I do some initial discovery on using this API in conjunction with the RAS APIs, so this might not work at all.

May 28, 2010 at 5:13 PM

Well, after doing some investigation it looks like that would require partial implementation of RFC 2433. I don't think I could commit to doing that, because that means the project would have to keep track of any RFC changes.

May 28, 2010 at 5:42 PM


Thanks for looking at this - I suspect my management isn't going to want to have me do anything like implementing RFC 2433 either, so I will recommend we "timebomb" the password update.

However, I also found out about NetUserChangePassword() - I'm wondering if that would work for at least the special case I have to deal with, namely CHAP and RADIUS and a Windows domain. I have to get a new testing account on our infrastructure set up prior to me doing this, so I haven't tried yet. (Don't want to clobber someone's account by mistake!)

May 28, 2010 at 6:46 PM
Edited May 28, 2010 at 8:26 PM

If I were you, I'd setup a virtual server hosted on my machine through Virtual PC or (my favorite) Sun VirtualBox. Both are good applications, but VirtualBox supports more operating systems and seems to run them better. It also can handle a 64-bit guest OS on a 32-bit host OS, though it does run slower since it has to map the 64-bit memory addresses back to their 32-bit counterpart. They work great for trying stuff like this, and it's what I've been doing for release builds for my integration tests.